Security Advisories (1)

CVE-2026-2597 (2026-02-27)

Crypt::SysRandom::XS versions before 0.010 for Perl is vulnerable to a heap buffer overflow in the XS function random_bytes(). The function does not validate that the length parameter is non-negative. If a negative value (e.g. -1) is supplied, the expression length + 1u causes an integer wraparound, resulting in a zero-byte allocation. The subsequent call to chosen random function (e.g. getrandom) passes the original negative value, which is implicitly converted to a large unsigned value (typically SIZE_MAX). This can result in writes beyond the allocated buffer, leading to heap memory corruption and application crash (denial of service). In common usage, the length argument is typically hardcoded by the caller, which reduces the likelihood of attacker-controlled exploitation. Applications that pass untrusted input to this parameter may be affected.

NAME

Crypt::SysRandom::XS - Perl interface to system randomness, XS version

VERSION

version 0.009

SYNOPSIS

use Crypt::SysRandom::XS 'random_bytes';
my $random = random_bytes(16);

DESCRIPTION

This module uses whatever C interface is available to procure cryptographically random data from the system.

FUNCTIONS

random_bytes($count)

This will fetch a string of $count random bytes containing cryptographically secure random data.

BACKENDS

At build-time, it will try the following backends in order:

getrandom

This backend is available on Linux, FreeBSD and Solaris
arc4random

This interface is supported on most BSDs and Mac.
BCryptGenRandom

This backend is available on Windows (Vista and newer)
rdrand64

This is available on x86_64 architectures using most compilers.
rdrand32

This is available on x86_64 and x86 architectures using most compilers.

AUTHOR

Leon Timmermans <fawaka@gmail.com>

COPYRIGHT AND LICENSE

This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself.

To install Crypt::SysRandom::XS, copy and paste the appropriate command in to your terminal.

cpanm

cpanm Crypt::SysRandom::XS

CPAN shell

perl -MCPAN -e shell
install Crypt::SysRandom::XS

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	go to github issues (only if github is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)